Analysis
-
max time kernel
48s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:47
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20220414-en
General
-
Target
Quotation.exe
-
Size
761KB
-
MD5
82a8dd7c9cb60f7f27a3187735fe0e70
-
SHA1
64db00701378728d6bfa898795922017b3c39bcb
-
SHA256
f9eb2b428ced4131d2846e50d56e87302b6b7ff986c6c524c55d5cef53111d2e
-
SHA512
cd8939f5a729bd430644a074a4bc0792277843feb72e7cb47f8f7a46b0497381cb5354486b7dc4d9cceb0dbd0e6a78a08e7a768a8ebeb3c564fe11c74e05ed90
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1888-62-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/1888-61-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/1888-63-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/1888-64-0x00000000004ABB2E-mapping.dmp family_masslogger behavioral1/memory/1888-66-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/1888-68-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.exedescription pid process target process PID 1528 set thread context of 1888 1528 Quotation.exe Quotation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Quotation.exepid process 1528 Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Quotation.exedescription pid process Token: SeDebugPrivilege 1528 Quotation.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Quotation.exeQuotation.exedescription pid process target process PID 1528 wrote to memory of 2000 1528 Quotation.exe schtasks.exe PID 1528 wrote to memory of 2000 1528 Quotation.exe schtasks.exe PID 1528 wrote to memory of 2000 1528 Quotation.exe schtasks.exe PID 1528 wrote to memory of 2000 1528 Quotation.exe schtasks.exe PID 1528 wrote to memory of 1688 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1688 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1688 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1688 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1528 wrote to memory of 1888 1528 Quotation.exe Quotation.exe PID 1888 wrote to memory of 276 1888 Quotation.exe dw20.exe PID 1888 wrote to memory of 276 1888 Quotation.exe dw20.exe PID 1888 wrote to memory of 276 1888 Quotation.exe dw20.exe PID 1888 wrote to memory of 276 1888 Quotation.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jKyhYdgyjTlQP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3723⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmpFilesize
1KB
MD526f990560bfb3024dc98cf3749632fd5
SHA1fe1b53c74834dca04ea7ffba03cbf02d84aa7001
SHA256342028a111af0b09929681a3d72d9cd1d1fb183b2070a0987e1eccdd57bb1283
SHA5125b9bc34d995e402efefb2752723605870f8adb12e860abf8e99b9ded8fcd3cc7ebbfcb5f6029ff32012ac915e275b357ea469b10fff46c0993fb9685dc8c9e1e
-
memory/276-70-0x0000000000000000-mapping.dmp
-
memory/1528-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1528-55-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1888-62-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-59-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-58-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-61-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-63-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-64-0x00000000004ABB2E-mapping.dmp
-
memory/1888-66-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-68-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1888-72-0x0000000074490000-0x0000000074A3B000-memory.dmpFilesize
5.7MB
-
memory/2000-56-0x0000000000000000-mapping.dmp